zScaler VPN connections report regular "internal error" when SEP for Mac firewall is enabled—even when firewall is set to allow all network traffic.
zScaler typically displays "Internal Error" every few minutes with a "Retry" button.
Component : SEP for Mac
Release : all versions up to 14.3
If you are troubleshooting SEP for Mac firewall rules, an "Allow All" rule at the top the settings might not work at first. Try instead to use an "Allow All" rule that explicitly allows a range of remote IP addresses, IPv4 0.0.0.1 thru 255.255.255.255 and IPv6 0000:0000:0000:0000:0000:0000:0000:0000 thru FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
If this works, then consult your VPN documentation for the exact ports and network ranges used, and refine your "Allow VPN" rule.
Examine output of "ifconfig" command line on a Mac client, and look for "utun" interfaces which are used by VPN software. For example:
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 100.64.0.1 --> 100.64.0.1 netmask 0xffff0000
Allowing remote IP range 100.64.0.1–100.64.255.254 for the example above would allow the remote IPs used by VPN on this interface.
Consult your zScaler configuration and support pages for specific ports used by the software and add those ports to the rule to make it more selective.